Upgrade PA HA firewall to 10.1.6-h6 from 10.1.4-h4

This article shows you how to upgrade the Palo Alto HA firewalls without downtime. This video is based on active/passive (HA) configuration and update one HA peer at a time.

Step 1: Save a backup of the current configuration file

•  Select Device>Setup>Operations and click Export named configuration snapshot.

•  Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.

•  Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.

Step 2: Download and install 10.1.6-h6 (sync with peer)

•  Go to Device>Software. Click Download on Version 10.1.6-h6

Step 3: Ensure that each firewall in the HA pair is running the latest content release version

•  Select Device>Dynamic Updates and check which Applications or Applications and Threats to determine which update is Currently Installed. If you are not sure, click on Check Now.

Step 4: Upgrade Software version on an HA Firewall Pair

For active/active firewalls, it doesn’t matter which peer you upgrade first (though for simplicity, this procedure shows you how to upgrade the active-primary peer first). For active/passive firewalls, you must suspend (fail over) and upgrade the active (primary) peer first. After you upgrade the primary peer, you must unsuspend the primary peer to return it to a functional state (passive). Next, you must suspend the passive (secondary) peer to make the primary peer active again. After the primary peer is active and the secondary peer is suspended, you can continue the upgrade. To prevent failover during the upgrade of the HA peers, you must make sure preemption is disabled before proceeding with the upgrade. You only need to disable preemption on one peer in the pair.

1.  Disable preemption on the first peer in each pair. You only need to disable this setting on one firewall in the HA pair but ensure that the commit is successful before you proceed with the upgrade.

1)  Select Device>High Availability and edit the Election Settings under General.

2)  If enabled, disable (clear) the Preemptive setting and click OK.

3)  Commit the change.

2.  Suspend the primary HA peer to force a failover.

1)  Select Device>High Availability>Operational Commands and Suspend local device for high availability.

2)  Click OK on the popup.

3)In the bottom-right corner, verify that the state is Suspended.

4)  The resulting failover should cause the secondary HA peer to transition to active state.

3.  Install PAN-OS 10.1.6-h6 on the suspended HA peer.

1)  On the primary HA peer, select Device>Software and click Check Now for the latest updates.

2)  Locate and Download PAN-OS 10.1.6-h6 if you did do it before.

3)  After you download the image (or, for a manual upgrade, after you upload the image), Install the image.

4)  After the installation completes successfully, reboot using one of the following methods:

If you are prompted to reboot, click Yes.

If you are not prompted to reboot, select Device>Setup>Operations and Reboot Device.

5)  After the device finishes rebooting (it may take a while), view the High Availability widget on the Dashboard and verify that the device you just upgraded is in sync with the peer.

* The status shows Passive on the just restarting Unit and Peer is Active.

4.  Restore HA functionality to the primary HA peer. 1)Select Device>High Availability>Operational Commands and Make local device functional for high availability.

2)  In the bottom-right corner, verify that the state is Passive.

3)  Wait for the HA peer running configuration to synchronize. In the Dasbhoard, monitor the Running Config status in the High Availability widget.

5.  On the secondary HA peer, suspend the HA peer.

1)  Select Device>High Availability>Operational Commands and Suspend local device for high availability.

2)  In the bottom-right corner on current unit, verify that the state is suspended.  

3) The resulting failover should cause the primary HA peer (was upgraded successful unit) to transition to Active state.

6.  Install PAN-OS 10.1.6-h6 on the secondary HA peer.

1)  On the second peer, select Device>Software and click Check Now for the latest updates.

2)  Locate and Download PAN-OS 10.1.6-h6 if it doesn’t sync from the first unit.

3)  After you download the image, Install it.

4)  After the installation completes successfully, reboot using one of the following methods:

•  If you are prompted to reboot, click Yes.

•  If you are not prompted to reboot, select Device>Setup>Operations and Reboot Device

7.  Restore HA functionality to the secondary HA peer.

1)  Select Device>High Availability>Operational Commands and Make local device functional for high availability.

2)  In the bottom-right corner, verify that the state is Passive.

3)  Wait for the HA peer running configuration to synchronize. In the Dasbhoard, monitor the Running Config status High Availability widget.

Active unit

Passive unit

8.  Re-enable preemption on the HA peer where it was disabled in the previous step.

1)  Select Device>High Availability and edit the Election Settings under General.

2)  Enable (check) the Preemptive setting and click OK.

3)  Commit the change.

9.  Verify that both peers are passing traffic as expected.

•  In an active/passive configuration, only the active peer should be passing traffic; both peers should be passing traffic in an active/active configuration.

•  Run the following CLI commands to confirm that the upgrade succeeded:

1)  (Active peers only) To verify that active peers are passing traffic, run the show session all command.

2)  To verify session synchronization, run the show high-availability interface ha2 command and make sure that the Hardware Interface counters on the CPU table are increasing as follows:

3)  In an active/passive configuration, only the active peer shows packets transmitted; the passive peer will show only packets received.

10.  Test: The internet access and VPN.

Please review it on YouTube:

How to unlink Yahoo email from Gmail

Situation: the client has two email addresses, Yahoo and Gmail. By accident, he has linked two together. Now, he would like to know how to unlink them.

  1. Login Gmail account.
  2. In the top right, click Settings Settings and then See all settings.

3. Click Accounts and Import.

4. In the “Check mail from other accounts” section, click unlink.

5. You have two options in Unlink account

  • If you delete copies from Gmail, they’ll still be in the inbox of your other service (for example, Yahoo or Hotmail).
  • If you keep copies in Gmail, they’ll stay in your Gmail account. However, if you move or delete them in Gmail, these actions won’t be reflected in your other account.

How to configure Active Directory Authentication for GlobalProtect VPN users

Step 1: Setup LDAP Authentication – Create a server profile which identifies the external authentication service and instructs the firewall how to connect to that authentication service and access the authentication credentials for your users.

  1. Go to Device>Server Profiles>LDAP, and then Add an LDAP server profile.

2. Enter a Profile Name, such as GP-User-Auth.

3. Click Add in the Server List area

4. Enter the necessary information for connecting to the authentication server, including the server Name, IP address or FQDN of the LDAP Server, and Port.

5. Select the LDAP server Type; Enter the Bind DN and Password to enable the authentication service to authenticate the firewall.

6. commit the settings.

Step 2:

How to repair Windows using dell iDRAC

Situation: The has a new Windows server 2019. It crashed after a windows Update. They would like to repair it. Since the IT personal is WFH, he would like to know how to repair Windows from Dell iDRAC.

  1. Login iDRAC.
  2. Click on Virtual Media.

3. Click Choose File under Map CD/DVD and then click on Map device.

4. You need go to Boot and select Virtual CD/DVD/ISO under Boot Control.

5. When it’s popup for root from DVD, press Enter. You should have an option to repair.

How to install Windows from Dell iDRAC

Situation: The has a new Windows server 2019. It crashed after a windows Update. They would like to re-install it. Since the IT personal is WFH, he would like to know how to re-install windows from Dell iDRAC.

  1. Login iDRAC.
  2. Click on Virtual Media.

3. Click Choose File under Map CD/DVD and then click on Map device.

4. You need go to Boot and select Virtual CD/DVD/ISO under Boot Control.

5. When it’s popup for root from DVD, press Enter. Then follow the wizard to install Windows.

How to restore emails from a deleted Outlook account

  1. Find the Outlook data by going to C:\Users\yourusername\AppData\Local\Microsoft\Outlook or it could be My Document folder.
  2. Copy all PST or OST files into a new computer or new location you may want to restore.

For PST files In MS Outlook click on the File. Click the ‘Import and Export’ option. Then follow the instruction to import PST file.

For OST files,

  1. Open Outlook and go to the File
  2. Click on the Options from the left pane.
  3. Click on the Advanced option 
  1. and click on the Auto Archive Settings… 
  2. Following set up the auto-archive as per your need. You have to set the day count to run auto-archive. Also, you can set a count to clear old emails.
  3. Once done, click Ok, and Outlook will automatically create an archive of your OST emails at the specified time.
  4. You can ensure the Archive utility’s working by navigating the location that you pick to save the PST files.

Or you can export as PST files and then import it to the new Outlook.

Does Windows System Restore recover data or files?

May be no. System Restore is a Microsoft® Windows® tool designed to protect and repair the computer software. System Restore takes a “snapshot” of some system files and the Windows registry and saves them as Restore Points which allows users to revert their computer’s state to that of a previous point in time. Also, System Restore relies on the Shadow Copy service which is a technology included in Microsoft Windows that makes it possible to take backup copies or snapshots of files or volumes even when they are in use.

System Restore doesn’t know or care about any of your personal files.

If you accidentally delete a file and it is not recoverable from the Recycle Bin, there are third party tools that you can look into to see if they can recovery your lost file(s).  Generally speaking the data from “deleted” files are still on the hard drive until that space they occupy is needed for something else, then that space where your deleted file is will be overwritten.

Keep in mind that the more you “use” your disk and read/write data to it, the less your chances of recovery the file are going to be since XP may decide to use that area of the disk where your deleted file is.  So if you delete something accidentally, you should try to recover it ASAP.

Some folks have good result with this free tool (you can use Google to find others):

Recuva

If you feel like trying it out, install it, make a few temporary files or copy some files somewhere to another folder/location, and delete the temporary or copied files on purpose.

Then see if Recuva will recover them for you.

If you don’t like it, uninstall it.  Sometimes I install it just to recovery a file(s), then uninstall it when I’m done.
 Report abuse

However, if you Windows issue and you can’t access some files or applications, you may use System restore to fix those issues. Then be able t access files.

How to exclude individual user or country from Azure Condition Access

With the Microsoft Azure Conditional Access, you can control access to your cloud apps based on the network location of a user or group users. However, in some cases, you may want to allow a user from a restricted location to access Microsoft cloud apps.

Resolution 1: Exclude a user from Azure Condition Access

  1. Login Azure portal and click on Azure Active Directory.

2. Click on Security

3. Click on Condition Access under Getting Started.

4. Select your Access policy, Block Access policy in our example.

5. Select Users or workload identities, All users included and specific excluded in our example.

Resolution 2: Exclude a country from Azure Condition Access

How to delete Email Account in Veeam Backup

Situation: The client created many email accounts i Veeam Backup for testing Notification as shown below. Thye don’t see any options to delete them.

Resolution: You need to delete them from manage Credentials by clicking Veeam Backup Settings icon>Manage Credentials.

You will have an option to Remove.